Digital In Action – 24-May-16

Is a Standard ‘NHS Online Account’

Feasible?

John Webb, Liverpool CCG Digital Care PM

Phil Stradling, NHSE Citizen Identity Lead

Vision for Citizen Identity

2

• A citizen can verify their identity once and use their choice of digital identity to access services

across care settings and the public sector in a safe and secure manner (federated identity)

What we’re testing with local health economies:

1. Enabling CCGs to drive digital relationships with patients and carers using a verified identity

2. Options for identity verification: a) GOV.UK Verify, and b) Local Verification

3. Matching a verified individual to their NHS number

4. Citizen controlled sharing of identity attributes

Healthy Liverpool Programme

Digital Care

• Interoperability

• Scale up Assistive Tech

• PHR to support• Information gathering

• Data sharing & Consents

• Self-care

• Joint decision-making

• Online interactions

Initial Hub Model

Local platform(Microsoft Azure)

Liverpool app portfolio

Referral

Pain Management app

Other Apps

Professional Portal

Patient

Email Invites

Message bus HospitalAPIs

Registration

Referrals

Microsoft

PHR

APIs

GP Practice

EMIS

Encryption

Keys

Clinician

Patient

GP Practice

GOV.UK Verify

• New way to prove who you are online

• Choice of 8 certified companies to verify your identity.

• Aim is an account that can be used across all Government services -including local government.

• Over 500k verified IDs so far

• Pipeline of services• 10 live: Tax/Pension/Driving License• 50 more on roadmap

• For more info see www.gov.uk/verify

5

A short video

Local Verification

6

CCGGP practice HSCIC

Registration form

Registration details

PID and NHS No

GP system

NHS Online account

Citizen

Set up social identity and phone

API

+ Evidence

of ID

Vouching App

RegistrationApp

Citizen

Revised Hub Model

Local platform

Liverpool app portfolio

Vouching app

Pain Management app

Other Apps

Professional Portal

Patient

Email Invites

Federation broker

HospitalAPIs

Registration

Referrals

Microsoft

PHR

APIs

GP Practice

EMIS

Consents

Keys

Clinician

Social identity providers

(e.g. Google)

GOV.UK Verify

HSCIC

Online accounts

Multi-factor authentication

service(using phone)

VerifyAccountsPatient

GP Practice

Evidence of ID

Login Liverpool Health App

2-Factor Authentication

Azure Active Directory B2C

Azure Service Bus

The case for a standard NHS Online Account

1. Citizen has control of their NHS Online Account• Only created with citizen’s consent • Citizen can ‘opt-out’ and delete their account

2. Minimal disclosure as an account consists of two data elements:• NHS no• Selected digital identity

3. Enables flexibility for local NHS bodies• Use of NHS no to create new local accounts• Use of NHS no to access existing records• Open market for app developers to innovate

4. Deployment options• HSCIC hosts the NHS Online Account with open APIs for access• CCGs host local instances of NHS Online Account, with HSCIC hosting a locator service

8

Current Situation

1. Liverpool is about to trial Verify & Local Verification

2. Ongoing risk mitigation work to address masquerading and safeguarding issues – across HSCIC, GDS, NHS

3. Starting to engage other NHS localities as early adopters

9

Support for Other Localities

• Available support:• GDS on-boarding team and process• SE CSU team and guidance on use of Citizen Identity• Liverpool docs, e.g. privacy impact assessment

• Re-usable components• HSCIC Matching service

• NHS Online account service• Integration with PDS for matching demographics to NHS No.

• Microsoft:• Federation broker and support for open standards• Interface with Verify

• Liverpool CCG• Vouching components• Trust framework policy/scripts

10

Q&A

• Questions

• Follow-ups

11

Locality B

Patient facing app

GDS hub

Architecture for enabling other localities

Access

Patient

Federation broker

Patient facing app

Verification +Authentication

Matching service

NHS Online account

OIDC

Locality A

Sign-in

Patient

Certified identity providerGOV.UK Verify

HSCIC

PID NHS no

PDS

Professional

SAML

• Cohort identification

• Sign-post to digital pathway

REST

Invite patients

Email

OIDC = OpenID Connect, a standard based on OAuth

NHS Two-Factor Authentication

External Services

Social Identity

Providers